@@ -143,8 +143,9 @@ TARGETS += test_perf_event.te
endif
endif
+# Older kernels may still have the legacy lockdown class, so we need to add
+# the appropriate rules when the policy declares it.
ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)
-TARGETS += test_lockdown.te
export M4PARAM += -Dlockdown_defined
endif
deleted file mode 100644
@@ -1,54 +0,0 @@
-#################################
-#
-# Policy for testing lockdown
-#
-
-attribute lockdowndomain;
-
-# Domain for lockdown (all operations allowed)
-type test_lockdown_all_t;
-domain_type(test_lockdown_all_t)
-unconfined_runs_test(test_lockdown_all_t)
-typeattribute test_lockdown_all_t lockdowndomain;
-typeattribute test_lockdown_all_t testdomain;
-
-testsuite_read_debugfs_nolockdown(test_lockdown_all_t)
-testsuite_read_tracefs_nolockdown(test_lockdown_all_t)
-corecmd_bin_entry_type(test_lockdown_all_t)
-allow test_lockdown_all_t self:lockdown integrity;
-allow test_lockdown_all_t self:lockdown confidentiality;
-
-# Domain for integrity
-type test_lockdown_integrity_t;
-domain_type(test_lockdown_integrity_t)
-unconfined_runs_test(test_lockdown_integrity_t)
-typeattribute test_lockdown_integrity_t lockdowndomain;
-typeattribute test_lockdown_integrity_t testdomain;
-
-testsuite_read_debugfs_nolockdown(test_lockdown_integrity_t)
-testsuite_read_tracefs_nolockdown(test_lockdown_integrity_t)
-corecmd_bin_entry_type(test_lockdown_integrity_t)
-allow test_lockdown_integrity_t self:lockdown integrity;
-
-# Domain for confidentiality
-type test_lockdown_confidentiality_t;
-domain_type(test_lockdown_confidentiality_t)
-unconfined_runs_test(test_lockdown_confidentiality_t)
-typeattribute test_lockdown_confidentiality_t lockdowndomain;
-typeattribute test_lockdown_confidentiality_t testdomain;
-
-testsuite_read_debugfs_nolockdown(test_lockdown_confidentiality_t)
-testsuite_read_tracefs_nolockdown(test_lockdown_confidentiality_t)
-corecmd_bin_entry_type(test_lockdown_confidentiality_t)
-allow test_lockdown_confidentiality_t self:lockdown confidentiality;
-
-# Domain for lockdown (all operations denied)
-type test_lockdown_none_t;
-domain_type(test_lockdown_none_t)
-unconfined_runs_test(test_lockdown_none_t)
-typeattribute test_lockdown_none_t lockdowndomain;
-typeattribute test_lockdown_none_t testdomain;
-
-testsuite_read_debugfs_nolockdown(test_lockdown_none_t)
-testsuite_read_tracefs_nolockdown(test_lockdown_none_t)
-corecmd_bin_entry_type(test_lockdown_none_t)
@@ -87,20 +87,3 @@ interface(`userdom_search_admin_dir', `
ifdef(`kernel_request_load_module', `', ` dnl
interface(`kernel_request_load_module', `')
')
-
-# We need to open-code these interfaces, because the system-provided ones will
-# likely grant the lockdown permissions we want to test.
-interface(`testsuite_read_debugfs_nolockdown',`
- gen_require(`
- type debugfs_t;
- ')
-
- read_files_pattern($1, debugfs_t, debugfs_t)
-')
-interface(`testsuite_read_tracefs_nolockdown',`
- gen_require(`
- type tracefs_t;
- ')
-
- read_files_pattern($1, tracefs_t, tracefs_t)
-')
@@ -112,10 +112,6 @@ SUBDIRS += perf_event
endif
endif
-ifeq ($(shell grep -q lockdown $(POLDEV)/include/support/all_perms.spt && echo true),true)
-SUBDIRS += lockdown
-endif
-
ifeq ($(shell grep -q filesystem $(POLDEV)/include/support/all_perms.spt && echo true),true)
SUBDIRS += $(addprefix filesystem/,$(FILESYSTEMS))
ifeq ($(shell grep -q all_filesystem_perms.*watch $(POLDEV)/include/support/all_perms.spt && echo true),true)
deleted file mode 100644
@@ -1,2 +0,0 @@
-all:
-clean:
deleted file mode 100755
@@ -1,47 +0,0 @@
-#!/usr/bin/perl
-
-use Test;
-BEGIN { plan tests => 8 }
-
-$integrity_cmd = "head -c 1 /sys/kernel/debug/fault_around_bytes";
-$confidentiality_cmd = "head -c 1 /sys/kernel/debug/tracing/tracing_on";
-
-# everything is allowed
-$result =
- system "runcon -t test_lockdown_all_t -- $integrity_cmd > /dev/null 2>&1";
-ok( $result, 0 );
-
-$result =
- system
- "runcon -t test_lockdown_all_t -- $confidentiality_cmd > /dev/null 2>&1";
-ok( $result, 0 );
-
-# only integrity operations allowed
-$result = system
- "runcon -t test_lockdown_integrity_t -- $integrity_cmd > /dev/null 2>&1";
-ok( $result, 0 );
-
-$result = system
-"runcon -t test_lockdown_integrity_t -- $confidentiality_cmd > /dev/null 2>&1";
-ok($result);
-
-# only confidentiality operations allowed
-$result = system
-"runcon -t test_lockdown_confidentiality_t -- $integrity_cmd > /dev/null 2>&1";
-ok($result);
-
-$result = system
-"runcon -t test_lockdown_confidentiality_t -- $confidentiality_cmd > /dev/null 2>&1";
-ok( $result, 0 );
-
-# nothing is allowed
-$result =
- system "runcon -t test_lockdown_none_t -- $integrity_cmd > /dev/null 2>&1";
-ok($result);
-
-$result =
- system
- "runcon -t test_lockdown_none_t -- $confidentiality_cmd > /dev/null 2>&1";
-ok($result);
-
-exit;
The lockdown class is about to be removed from the mainline kernel due to the difficulty of ensuring that a relevant subject context is available during each call to the locked_down hook. Hence remove the lockdown test from the testsuite. Note that the module_load and perf_event test policy still conditionally provides rules involving the lockdown class so that these tests can still work on older kernels. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> --- policy/Makefile | 3 ++- policy/test_lockdown.te | 54 ----------------------------------------- policy/test_policy.if | 17 ------------- tests/Makefile | 4 --- tests/lockdown/Makefile | 2 -- tests/lockdown/test | 47 ----------------------------------- 6 files changed, 2 insertions(+), 125 deletions(-) delete mode 100644 policy/test_lockdown.te delete mode 100644 tests/lockdown/Makefile delete mode 100755 tests/lockdown/test